Privacy Policy

The HEAL Project Field Trip Management Platform

Effective Date: 5/15/2026
Last Updated: 5/15/2026

1. INTRODUCTION

The Heal Project ("we," "us," or "our") is a California nonprofit organization that provides educational field trip experiences at our farm for schools. This Privacy Policy describes how we collect, use, disclose, and protect personal information through our Field Trip Management Platform (the "Platform") located at thehealproject.org.

This Privacy Policy applies to all users of the Platform, including school contacts, educators, and administrative users. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

For questions about this Privacy Policy or our privacy practices, please contact us at:

  • Email: info@thehealproject.org

  • Mailing Address: The HEAL Project, PO Box 3051, Half Moon Bay, CA 94019

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

When you use our Platform to register for field trips, we collect the following categories of personal information:

Registration Information

  • Contact name and email address

  • Invoice recipient name and email address

  • Billing address (street, city, state, ZIP code)

  • School or organization affiliation

Educator Information

  • Educator names and email addresses for each class registered

Class Information

  • Grade levels and student counts (aggregate numbers only; individual student names are not collected)

  • Chaperone counts

  • Trip preferences and scheduling information

Form Responses

  • Responses to custom registration questions configured for specific trip types

Stipend Documentation

  • Documentation URLs submitted for bus stipend requests

  • Cancellation reasons (if you cancel a booking)

2.2 Information Collected Automatically

When you access the Platform, we automatically collect certain technical information:

  • IP address (for security, rate limiting, and fraud prevention)

  • Browser user agent string (browser type and version)

  • Session information (to maintain your login state)

  • Timestamps of your interactions with the Platform

2.3 Information from Third Parties

If you sign in using Google Sign-In, we receive the following information from your Google account:

  • Your name

  • Your email address

  • Your Google account identifier

3. HOW WE USE YOUR INFORMATION

We use the personal information we collect for the following purposes:

  • Processing and managing field trip registrations

  • Sending booking confirmations, reminders, and updates via email

  • Generating invoices and processing billing

  • Administering bus stipend programs for eligible schools

  • Communicating with educators about upcoming trips

  • Maintaining security and preventing fraud through audit logging

  • Enforcing rate limits to protect the Platform from abuse

  • Improving our services and user experience

  • Complying with legal obligations

4. INFORMATION SHARING AND DISCLOSURE

We share personal information with the following categories of third parties:

Service Providers

We use the following service providers who process personal information on our behalf:

Provider Purpose Data Shared
Google Cloud Platform Application and database hosting All data stored on the Platform
Firebase (Google) User authentication Email, name, authentication tokens
Google Maps API Address lookup and mapping Address search queries
SendGrid Transactional email delivery Names, emails, email content

Sale of Personal Information

We do not sell your personal information to third parties.

We do not share your personal information with third parties for cross-context behavioral advertising purposes.

Legal Requirements

We may disclose personal information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

5. COOKIES AND TRACKING TECHNOLOGIES

We use the following cookies and similar technologies:

Essential Cookies

  • Session Cookie: Used to maintain your authenticated session. This cookie is HttpOnly, Secure, and expires after 8 hours of inactivity.

  • Rate Limiting: We track request patterns to prevent abuse of the Platform. This data is stored temporarily and automatically deleted.

Third-Party Services

When you use certain features of the Platform, third-party services may set their own cookies:

  • Google Sign-In: If you authenticate using Google, Google may set cookies according to their privacy policy.

  • Google Maps: When address autocomplete is used, Google Maps may collect information according to Google's privacy policy.

What We Do Not Use

We do not use:

  • Advertising or marketing cookies

  • Analytics tracking cookies (e.g., Google Analytics)

  • Social media tracking pixels

  • Cross-site behavioral tracking technologies

6. DO NOT TRACK SIGNALS

"Do Not Track" (DNT) is a privacy preference that users can set in their web browsers. When a user enables DNT, the browser sends a signal to websites requesting that the user's browsing activity not be tracked.

Our Response: This Platform does not currently respond to DNT signals. However, we do not engage in cross-site tracking or behavioral advertising, so the practical impact is minimal. We only collect information necessary to provide our services as described in this Privacy Policy.

7. THIRD-PARTY CROSS-SITE TRACKING

We do not allow third parties to collect personally identifiable information about your online activities over time and across different websites when you use our Platform.

However, please note that some of our service providers (such as Google, through Firebase and Google Maps) may independently collect information about your activities across different websites. For information about how Google collects and uses data, please visit:

Google Privacy Policy

8. YOUR RIGHTS AND CHOICES

You have the following rights regarding your personal information:

Right to Know

You may request that we disclose to you the categories and specific pieces of personal information we have collected about you.

Right to Correction

You may request that we correct inaccurate personal information that we maintain about you.

Right to Deletion

You may request that we delete personal information that we have collected from you, subject to certain exceptions (such as completing a transaction or complying with legal obligations).

How to Submit a Request

To exercise any of these rights, please contact us using one of the following methods:

  1. Email: info@thehealproject.org

  2. Mail: The HEAL Project, PO Box 3051, Half Moon Bay, CA 94019

We will respond to your request within 45 days. We may need to verify your identity before processing your request. If you submitted a registration through our Platform, we may ask you to provide information that matches our records.

9. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption in transit using HTTPS/TLS

  • HTTP Strict Transport Security (HSTS) to prevent downgrade attacks

  • HttpOnly, Secure, and SameSite session cookies to prevent cookie theft

  • Content Security Policy (CSP) headers to prevent cross-site scripting

  • Rate limiting to prevent brute-force attacks

  • Audit logging for administrative actions

  • Input validation to prevent injection attacks

While we take reasonable steps to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. DATA RETENTION

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including:

  • Registration and booking data: Retained for the duration of your relationship with us plus 5 years for record-keeping and grant reporting purposes

  • Audit logs: Retained for 5 years for security and compliance purposes

  • Email delivery records: Retained for 30 days after successful delivery

  • Rate limiting data: Automatically deleted after 1 hour

When personal information is no longer needed, we will securely delete or anonymize it.

11. CHILDREN'S PRIVACY

The Platform is designed for use by school administrators, teachers, and other adult representatives who register field trips on behalf of their schools. We do not knowingly collect personal information directly from children under 13 years of age.

While our Platform processes information about student groups (such as grade levels and student counts), we do not collect individual student names or other personally identifiable information about students.

If you believe we have inadvertently collected personal information from a child under 13, please contact us immediately so we can delete such information.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons.

If we make material changes to this Privacy Policy, we will notify you by:

  • Posting a notice on the Platform prior to the change becoming effective

  • Sending an email to registered users (if we have your email address)

  • Updating the "Last Updated" date at the top of this Privacy Policy

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

The Heal Project
Attn: Privacy Inquiries
PO Box 3051
Half Moon Bay, CA 94019
Email: brett@thehealproject.org

— End of Privacy Policy —